The Best Damn Firewall Book Period

The term firewall comes from the bricks-and-mortar architectural world. In buildings, a firewall is a wall built from heat- or fire-resistant material such as concrete that is intended to slow the spread of fire through a structure. In the same way, a network firewall is intended to stop unauthorized traffic from traveling from one network to another. The most common deployment of firewalls occurs between a trusted network and an untrusted one, typically the Internet.

In the past, it was actually rather common for Internet-connected organizations to have no firewalls, instead simply relying on the security of their host systems to protect their data. As networks got larger, it became unwieldy and risky to try to adequately secure each and every host, especially given the ever-increasing hacker threat.

Regardless of what type of firewall you're using, a firewall provides several services. The most essential firewall functions include:

• IP address conservation and traffic forwarding Many firewalls act as routers so that different networks (i.e., the 192.168.1.1/24 and 10.100.100.0/24 networks) can communicate with each other. Many network administrators use this function to help create additional subnets. This feature is included as a firewall element simply because it is accomplished using either Ipchains or Iptables. Thus, anyone with only one IP address can create a local area network (LAN) or wide area network (WAN) that has full access to the Internet. You should understand, however, that a firewall does not necessarily have to provide Network Address Translation (NAT). Still, many firewalls (including those provided by Linux and Ipchains/Iptables) allow you to choose this feature.

• Network differentiation A firewall is the primary means of creating a boundary between your network and any other network. Because it creates a clear distinction between networks, a firewall helps you manage traffic. A firewall does not necessarily have to be deployed between a trusted, private network and the Internet. Many times, a firewall is deployed within a company network to further differentiate certain company divisions (such as research and development or accounting) from the rest of the network.

• Protection against DoS, scanning, and sniffing attacks A firewall acts as a single point that monitors incoming and outgoing traffic. It is possible for this firewall to limit any traffic that you choose.

• IP and port filtering The ability to allow or reject a connection based on IP address and port. Such filtering is likely the most understood function of a firewall. Generally, this type of filtering is accomplished using packet filters (i.e., Linux systems that use either Ipchains or Iptables). Packet filtering can become quite complex, because you must always consider that traffic can be filtered according to the source of the packet, as well as the packet's destination. For example, a packet filter can block traffic to your network if it originates from a particular IP address and port.

• Content filtering Proxy servers are generally the only types of firewall that manage and control traffic by inspecting URL and page content. If configured properly, a proxy-oriented firewall can identify and block content that you consider objectionable.

• Packet redirection Sometimes, it is necessary for a firewall to send traffic to another port or another host altogether. For example, suppose that you have installed Squid proxy server on a separate host than your firewall. It is likely that you will want to have your firewall automatically forward all traffic sent to ports 80 and 443 (the standard HTTP and HTTPS ports) to your proxy server for additional processing.

• Enhanced authentication and encryption A firewall has the ability to authenticate users, and encrypt transmissions between itself and the firewall of another network.

• Supplemented logging One of the most important—though commonly ignored—benefits of a firewall is that it allows you to examine all details about network packets that pass through it. You can learn, for example, about port scans and various connections to your system.

Firewalls, by definition, do not provide you with all of your network's security functions, nor should they. Other systems should provide you with authentication mechanisms (passwords, public key, or digital certificates), intrusion detection, or remote access (Virtual Private Networks or dial-up). These are separate functions of your network, and your firewall should not be taxed with other functions.

Types of Firewalls

Although the original Firewall Toolkit (sometimes referred to as an fwtk) used a proxy-type design, other types of firewalls use a much different approach. Before we look at these, recall the Open Systems Interconnect (OSI) model (see Figure 2.1).

Figure 2.1: The OSI Model

Using this model as a reference, we can compare how the types of firewalls operate and make informed decisions about which type of firewall is appropriate for a particular need.

Packet Filters

In its most basic form, a packet filter makes decisions about whether to forward a packet based only on information found at the IP or Transmission Control Protocol (TCP)/User Datagram Packet (UDP) layers; in effect, a packet filter is a router with some intelligence. However, a packet filter only handles individual packets; it does not keep track of TCP sessions. Thus, it is poorly equipped to detect spoofed packets that come in through an outside interface, pretending to be part of an existing session by setting the Acknowledge (ACK) flag in the TCP header. Packet filters are configured to allow or block traffic according to source and destination IP addresses, source and destination ports, and type of protocol (TCP, UDP, (Internet Control Message Protocol [ICMP], and so on).

So why would you use a packet filter if spoofing is so easy? The primary benefit is speed. Since it does not have to do any inspection of application data, a packet filter can operate nearly as fast as a router that is performing only packet routing and forwarding. As we will see, however, the packet filter concept has been improved.

Stateful Inspection Packet Filters

The concept of stateful inspection came about in an effort to improve on the capability and security of regular packet filters while still capitalizing on their inherent speed. A packet filter with stateful inspection is able to keep track of network sessions, so when it receives an ACK packet, it can determine its legitimacy by matching the packet to the corresponding entry in the connection table. An entry is created in the connection table when the firewall sees the first Synchronize (SYN) packet that begins the TCP session. This entry is then referenced for succeeding packets in the session. Entries are automatically timed out after some configurable timeout period.

Statefulness can also be applied to UDP communication in a pseudo fashion, which normally has no concept of state. In this case, the firewall creates an entry in the connection table when the first UDP packet is transmitted. A UDP packet from a less secure network (a response) will only be accepted if a corresponding entry is found in the connection table. If we move up to the application layer, we can see further use for statefulness for protocols such as File Transfer Protocol (FTP). FTP is a bit different in that the server that the user connects to on port 21 will initiate a data connection back on port 20 when a file download is requested. If the firewall has not kept track of the FTP control connection that was initially established, it will not allow the data connection back in. This concept also applies to many of the newer multimedia protocols such as RealAudio and NetMeeting.

Stateful inspection packet filters remain the speed kings of firewalls and are the most flexible where new protocols are concerned, but they are sometimes less secure than application proxies. Check Point FireWall-1 (FW-1) and the Cisco PIX are the leading examples of this type of firewall.

Application Proxies

As the name implies, application proxy firewalls act as intermediaries in network sessions. The user's connection terminates at the proxy, and a corresponding separate connection is initiated from the proxy to the destination host. Connections are analyzed all the way up to the application layer to determine if they are allowed. It is this characteristic that gives proxies a higher level of security than packet filters, stateful or otherwise. However, as you might imagine, this additional processing extracts a toll on performance. Figure 2.2 shows how packet processing is handled at the application layer before it is passed on or blocked.

Figure 2.2: Application Proxy Data Flow

One potentially significant limitation of application proxies is that as new application protocols are implemented, corresponding proxies must be developed to handle them. This means that you could be at the mercy of your vendor if there is a hot new video multicasting technology, for example, but there is no proxy for it.

Examples of proxy-based firewalls include Gauntlet from Secure Computing (acquired from Network Associates) and Symantec Raptor (also known as Enterprise Firewall).